npm - @de-otio/chaoskb-server - Versions diffs - 0.2.0 - Mend

@de-otio/chaoskb-server 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/dist/lib/admin-handler/index.d.ts +22 -0
package/dist/lib/admin-handler/index.d.ts.map +1 -0
package/dist/lib/admin-handler/index.js +92 -0
package/dist/lib/admin-handler/index.js.map +1 -0
package/dist/lib/admin-handler/index.ts +123 -0
package/dist/lib/admin-handler/routes/metrics.d.ts +11 -0
package/dist/lib/admin-handler/routes/metrics.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/metrics.js +200 -0
package/dist/lib/admin-handler/routes/metrics.js.map +1 -0
package/dist/lib/admin-handler/routes/metrics.ts +234 -0
package/dist/lib/admin-handler/routes/overview.d.ts +9 -0
package/dist/lib/admin-handler/routes/overview.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/overview.js +110 -0
package/dist/lib/admin-handler/routes/overview.js.map +1 -0
package/dist/lib/admin-handler/routes/overview.ts +133 -0
package/dist/lib/admin-handler/routes/tenants.d.ts +10 -0
package/dist/lib/admin-handler/routes/tenants.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/tenants.js +108 -0
package/dist/lib/admin-handler/routes/tenants.js.map +1 -0
package/dist/lib/admin-handler/routes/tenants.ts +134 -0
package/dist/lib/chaoskb-stack.d.ts +22 -0
package/dist/lib/chaoskb-stack.d.ts.map +1 -0
package/dist/lib/chaoskb-stack.js +60 -0
package/dist/lib/chaoskb-stack.js.map +1 -0
package/dist/lib/constructs/admin-api.d.ts +16 -0
package/dist/lib/constructs/admin-api.d.ts.map +1 -0
package/dist/lib/constructs/admin-api.js +93 -0
package/dist/lib/constructs/admin-api.js.map +1 -0
package/dist/lib/constructs/admin-dashboard.d.ts +18 -0
package/dist/lib/constructs/admin-dashboard.d.ts.map +1 -0
package/dist/lib/constructs/admin-dashboard.js +172 -0
package/dist/lib/constructs/admin-dashboard.js.map +1 -0
package/dist/lib/constructs/api.d.ts +17 -0
package/dist/lib/constructs/api.d.ts.map +1 -0
package/dist/lib/constructs/api.js +81 -0
package/dist/lib/constructs/api.js.map +1 -0
package/dist/lib/constructs/auth.d.ts +11 -0
package/dist/lib/constructs/auth.d.ts.map +1 -0
package/dist/lib/constructs/auth.js +18 -0
package/dist/lib/constructs/auth.js.map +1 -0
package/dist/lib/constructs/blob-store.d.ts +10 -0
package/dist/lib/constructs/blob-store.d.ts.map +1 -0
package/dist/lib/constructs/blob-store.js +31 -0
package/dist/lib/constructs/blob-store.js.map +1 -0
package/dist/lib/deploy-cli.d.ts +3 -0
package/dist/lib/deploy-cli.d.ts.map +1 -0
package/dist/lib/deploy-cli.js +49 -0
package/dist/lib/deploy-cli.js.map +1 -0
package/dist/lib/handler/index.d.ts +23 -0
package/dist/lib/handler/index.d.ts.map +1 -0
package/dist/lib/handler/index.js +276 -0
package/dist/lib/handler/index.js.map +1 -0
package/dist/lib/handler/index.ts +372 -0
package/dist/lib/handler/logger.d.ts +16 -0
package/dist/lib/handler/logger.d.ts.map +1 -0
package/dist/lib/handler/logger.js +26 -0
package/dist/lib/handler/logger.js.map +1 -0
package/dist/lib/handler/logger.ts +36 -0
package/dist/lib/handler/middleware/input-validation.d.ts +6 -0
package/dist/lib/handler/middleware/input-validation.d.ts.map +1 -0
package/dist/lib/handler/middleware/input-validation.js +36 -0
package/dist/lib/handler/middleware/input-validation.js.map +1 -0
package/dist/lib/handler/middleware/input-validation.ts +44 -0
package/dist/lib/handler/middleware/rate-limit.d.ts +14 -0
package/dist/lib/handler/middleware/rate-limit.d.ts.map +1 -0
package/dist/lib/handler/middleware/rate-limit.js +94 -0
package/dist/lib/handler/middleware/rate-limit.js.map +1 -0
package/dist/lib/handler/middleware/rate-limit.ts +121 -0
package/dist/lib/handler/middleware/ssh-auth.d.ts +48 -0
package/dist/lib/handler/middleware/ssh-auth.d.ts.map +1 -0
package/dist/lib/handler/middleware/ssh-auth.js +256 -0
package/dist/lib/handler/middleware/ssh-auth.js.map +1 -0
package/dist/lib/handler/middleware/ssh-auth.ts +300 -0
package/dist/lib/handler/routes/audit.d.ts +24 -0
package/dist/lib/handler/routes/audit.d.ts.map +1 -0
package/dist/lib/handler/routes/audit.js +94 -0
package/dist/lib/handler/routes/audit.js.map +1 -0
package/dist/lib/handler/routes/audit.ts +101 -0
package/dist/lib/handler/routes/blobs.d.ts +13 -0
package/dist/lib/handler/routes/blobs.d.ts.map +1 -0
package/dist/lib/handler/routes/blobs.js +298 -0
package/dist/lib/handler/routes/blobs.js.map +1 -0
package/dist/lib/handler/routes/blobs.ts +348 -0
package/dist/lib/handler/routes/devices.d.ts +48 -0
package/dist/lib/handler/routes/devices.d.ts.map +1 -0
package/dist/lib/handler/routes/devices.js +394 -0
package/dist/lib/handler/routes/devices.js.map +1 -0
package/dist/lib/handler/routes/devices.ts +458 -0
package/dist/lib/handler/routes/export.d.ts +9 -0
package/dist/lib/handler/routes/export.d.ts.map +1 -0
package/dist/lib/handler/routes/export.js +40 -0
package/dist/lib/handler/routes/export.js.map +1 -0
package/dist/lib/handler/routes/export.ts +55 -0
package/dist/lib/handler/routes/github.d.ts +31 -0
package/dist/lib/handler/routes/github.d.ts.map +1 -0
package/dist/lib/handler/routes/github.js +118 -0
package/dist/lib/handler/routes/github.js.map +1 -0
package/dist/lib/handler/routes/github.ts +162 -0
package/dist/lib/handler/routes/health.d.ts +6 -0
package/dist/lib/handler/routes/health.d.ts.map +1 -0
package/dist/lib/handler/routes/health.js +14 -0
package/dist/lib/handler/routes/health.js.map +1 -0
package/dist/lib/handler/routes/health.ts +10 -0
package/dist/lib/handler/routes/invites.d.ts +24 -0
package/dist/lib/handler/routes/invites.d.ts.map +1 -0
package/dist/lib/handler/routes/invites.js +445 -0
package/dist/lib/handler/routes/invites.js.map +1 -0
package/dist/lib/handler/routes/invites.ts +527 -0
package/dist/lib/handler/routes/notifications.d.ts +39 -0
package/dist/lib/handler/routes/notifications.d.ts.map +1 -0
package/dist/lib/handler/routes/notifications.js +150 -0
package/dist/lib/handler/routes/notifications.js.map +1 -0
package/dist/lib/handler/routes/notifications.ts +163 -0
package/dist/lib/handler/routes/projects.d.ts +24 -0
package/dist/lib/handler/routes/projects.d.ts.map +1 -0
package/dist/lib/handler/routes/projects.js +47 -0
package/dist/lib/handler/routes/projects.js.map +1 -0
package/dist/lib/handler/routes/projects.ts +69 -0
package/dist/lib/handler/routes/register.d.ts +19 -0
package/dist/lib/handler/routes/register.d.ts.map +1 -0
package/dist/lib/handler/routes/register.js +327 -0
package/dist/lib/handler/routes/register.js.map +1 -0
package/dist/lib/handler/routes/register.ts +363 -0
package/dist/lib/handler/routes/restore.d.ts +9 -0
package/dist/lib/handler/routes/restore.d.ts.map +1 -0
package/dist/lib/handler/routes/restore.js +52 -0
package/dist/lib/handler/routes/restore.js.map +1 -0
package/dist/lib/handler/routes/restore.ts +73 -0
package/dist/lib/handler/routes/revocation.d.ts +13 -0
package/dist/lib/handler/routes/revocation.d.ts.map +1 -0
package/dist/lib/handler/routes/revocation.js +63 -0
package/dist/lib/handler/routes/revocation.js.map +1 -0
package/dist/lib/handler/routes/revocation.ts +87 -0
package/dist/lib/handler/routes/rotation.d.ts +24 -0
package/dist/lib/handler/routes/rotation.d.ts.map +1 -0
package/dist/lib/handler/routes/rotation.js +291 -0
package/dist/lib/handler/routes/rotation.js.map +1 -0
package/dist/lib/handler/routes/rotation.ts +336 -0
package/dist/lib/handler/routes/tenants.d.ts +11 -0
package/dist/lib/handler/routes/tenants.d.ts.map +1 -0
package/dist/lib/handler/routes/tenants.js +181 -0
package/dist/lib/handler/routes/tenants.js.map +1 -0
package/dist/lib/handler/routes/tenants.ts +198 -0
package/dist/lib/handler/routes/wrapped-key.d.ts +21 -0
package/dist/lib/handler/routes/wrapped-key.d.ts.map +1 -0
package/dist/lib/handler/routes/wrapped-key.js +76 -0
package/dist/lib/handler/routes/wrapped-key.js.map +1 -0
package/dist/lib/handler/routes/wrapped-key.ts +108 -0
package/dist/lib/index.d.ts +7 -0
package/dist/lib/index.d.ts.map +1 -0
package/dist/lib/index.js +16 -0
package/dist/lib/index.js.map +1 -0
package/dist/vitest.config.d.ts +3 -0
package/dist/vitest.config.d.ts.map +1 -0
package/dist/vitest.config.js +18 -0
package/dist/vitest.config.js.map +1 -0
package/package.json +61 -0

package/dist/lib/handler/routes/notifications.js ADDED Viewed

@@ -0,0 +1,150 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createNotification = createNotification;
+exports.handleGetNotifications = handleGetNotifications;
+exports.handleDismissNotification = handleDismissNotification;
+exports.resolveIpLocation = resolveIpLocation;
+const crypto = __importStar(require("crypto"));
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const logger_js_1 = require("../logger.js");
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+const TTL_30_DAYS = 30 * 24 * 60 * 60;
+/**
+ * Create a notification for a tenant.
+ *
+ * DynamoDB: PK: TENANT#{tenantId}, SK: NOTIFICATION#{timestamp}#{suffix}
+ */
+async function createNotification(tenantId, type, deviceInfo, ddb, tableName) {
+    const now = new Date().toISOString();
+    const suffix = crypto.randomBytes(4).toString('hex');
+    const ttl = Math.floor(Date.now() / 1000) + TTL_30_DAYS;
+    await ddb.send(new lib_dynamodb_1.PutCommand({
+        TableName: tableName,
+        Item: {
+            PK: `TENANT#${tenantId}`,
+            SK: `NOTIFICATION#${now}#${suffix}`,
+            type,
+            deviceInfo,
+            acknowledged: false,
+            timestamp: now,
+            ttl,
+        },
+    }));
+    logger_js_1.logger.info('Notification created', { tenantId, type });
+}
+/**
+ * GET /v1/notifications — return unacknowledged notifications for tenant.
+ */
+async function handleGetNotifications(tenantId, ddb, tableName) {
+    const result = await ddb.send(new lib_dynamodb_1.QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+        FilterExpression: 'acknowledged = :false',
+        ExpressionAttributeValues: {
+            ':pk': `TENANT#${tenantId}`,
+            ':prefix': 'NOTIFICATION#',
+            ':false': false,
+        },
+        ScanIndexForward: false, // newest first
+        Limit: 50,
+    }));
+    const notifications = (result.Items ?? []).map((item) => ({
+        id: item['SK'],
+        type: item['type'],
+        deviceInfo: item['deviceInfo'],
+        timestamp: item['timestamp'],
+    }));
+    return {
+        statusCode: 200,
+        headers: JSON_HEADERS,
+        body: JSON.stringify({ notifications }),
+    };
+}
+/**
+ * POST /v1/notifications/{id}/dismiss — mark notification as acknowledged.
+ */
+async function handleDismissNotification(tenantId, notificationId, ddb, tableName) {
+    try {
+        await ddb.send(new lib_dynamodb_1.UpdateCommand({
+            TableName: tableName,
+            Key: {
+                PK: `TENANT#${tenantId}`,
+                SK: notificationId,
+            },
+            UpdateExpression: 'SET acknowledged = :true',
+            ConditionExpression: 'attribute_exists(PK)',
+            ExpressionAttributeValues: {
+                ':true': true,
+            },
+        }));
+        return {
+            statusCode: 200,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ status: 'dismissed' }),
+        };
+    }
+    catch (err) {
+        if (err.name === 'ConditionalCheckFailedException') {
+            return {
+                statusCode: 404,
+                headers: JSON_HEADERS,
+                body: JSON.stringify({ error: 'not_found', message: 'Notification not found' }),
+            };
+        }
+        throw err;
+    }
+}
+/**
+ * G3: Resolve IP address to approximate location.
+ *
+ * For Lambda, use a lightweight approach: extract country/region from
+ * CloudFront headers if available, otherwise return null.
+ * A full MaxMind integration can be added later.
+ */
+function resolveIpLocation(headers) {
+    // CloudFront sets these headers when the distribution is configured
+    const country = headers['cloudfront-viewer-country'] || headers['CloudFront-Viewer-Country'];
+    const city = headers['cloudfront-viewer-city'] || headers['CloudFront-Viewer-City'];
+    const region = headers['cloudfront-viewer-country-region-name'] || headers['CloudFront-Viewer-Country-Region-Name'];
+    if (city && country) {
+        return region ? `${city}, ${region}, ${country}` : `${city}, ${country}`;
+    }
+    if (country) {
+        return country;
+    }
+    return null;
+}
+//# sourceMappingURL=notifications.js.map

package/dist/lib/handler/routes/notifications.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"notifications.js","sourceRoot":"","sources":["../../../../lib/handler/routes/notifications.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,gDA2BC;AAKD,wDAgCC;AAKD,8DAqCC;AASD,8CAaC;AAlKD,+CAAiC;AACjC,wDAK+B;AAC/B,4CAAsC;AAQtC,MAAM,YAAY,GAAG,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;AAC5D,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAatC;;;;GAIG;AACI,KAAK,UAAU,kBAAkB,CACtC,QAAgB,EAChB,IAAsB,EACtB,UAAsB,EACtB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,WAAW,CAAC;IAExD,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE;YACJ,EAAE,EAAE,UAAU,QAAQ,EAAE;YACxB,EAAE,EAAE,gBAAgB,GAAG,IAAI,MAAM,EAAE;YACnC,IAAI;YACJ,UAAU;YACV,YAAY,EAAE,KAAK;YACnB,SAAS,EAAE,GAAG;YACd,GAAG;SACJ;KACF,CAAC,CACH,CAAC;IAEF,kBAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,sBAAsB,CAC1C,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,2BAAY,CAAC;QACf,SAAS,EAAE,SAAS;QACpB,sBAAsB,EAAE,uCAAuC;QAC/D,gBAAgB,EAAE,uBAAuB;QACzC,yBAAyB,EAAE;YACzB,KAAK,EAAE,UAAU,QAAQ,EAAE;YAC3B,SAAS,EAAE,eAAe;YAC1B,QAAQ,EAAE,KAAK;SAChB;QACD,gBAAgB,EAAE,KAAK,EAAE,eAAe;QACxC,KAAK,EAAE,EAAE;KACV,CAAC,CACH,CAAC;IAEF,MAAM,aAAa,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACxD,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC;QACd,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC;QAClB,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC;QAC9B,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC;KAC7B,CAAC,CAAC,CAAC;IAEJ,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,YAAY;QACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,aAAa,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,yBAAyB,CAC7C,QAAgB,EAChB,cAAsB,EACtB,GAA2B,EAC3B,SAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;YAChB,SAAS,EAAE,SAAS;YACpB,GAAG,EAAE;gBACH,EAAE,EAAE,UAAU,QAAQ,EAAE;gBACxB,EAAE,EAAE,cAAc;aACnB;YACD,gBAAgB,EAAE,0BAA0B;YAC5C,mBAAmB,EAAE,sBAAsB;YAC3C,yBAAyB,EAAE;gBACzB,OAAO,EAAE,IAAI;aACd;SACF,CAAC,CACH,CAAC;QAEF,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;SAC9C,CAAC;IACJ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAK,GAAyB,CAAC,IAAI,KAAK,iCAAiC,EAAE,CAAC;YAC1E,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,YAAY;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;aAChF,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iBAAiB,CAAC,OAA+B;IAC/D,oEAAoE;IACpE,MAAM,OAAO,GAAG,OAAO,CAAC,2BAA2B,CAAC,IAAI,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC7F,MAAM,IAAI,GAAG,OAAO,CAAC,wBAAwB,CAAC,IAAI,OAAO,CAAC,wBAAwB,CAAC,CAAC;IACpF,MAAM,MAAM,GAAG,OAAO,CAAC,uCAAuC,CAAC,IAAI,OAAO,CAAC,uCAAuC,CAAC,CAAC;IAEpH,IAAI,IAAI,IAAI,OAAO,EAAE,CAAC;QACpB,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,KAAK,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,KAAK,OAAO,EAAE,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/lib/handler/routes/notifications.ts ADDED Viewed

@@ -0,0 +1,163 @@
+import * as crypto from 'crypto';
+import {
+  DynamoDBDocumentClient,
+  PutCommand,
+  QueryCommand,
+  UpdateCommand,
+} from '@aws-sdk/lib-dynamodb';
+import { logger } from '../logger.js';
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+const TTL_30_DAYS = 30 * 24 * 60 * 60;
+export type NotificationType = 'device_linked' | 'device_revoked' | 'key_rotated';
+export interface DeviceInfo {
+  hostname?: string;
+  platform?: string;
+  arch?: string;
+  osVersion?: string;
+  deviceModel?: string | null;
+  location?: string | null;
+}
+/**
+ * Create a notification for a tenant.
+ *
+ * DynamoDB: PK: TENANT#{tenantId}, SK: NOTIFICATION#{timestamp}#{suffix}
+ */
+export async function createNotification(
+  tenantId: string,
+  type: NotificationType,
+  deviceInfo: DeviceInfo,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<void> {
+  const now = new Date().toISOString();
+  const suffix = crypto.randomBytes(4).toString('hex');
+  const ttl = Math.floor(Date.now() / 1000) + TTL_30_DAYS;
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `TENANT#${tenantId}`,
+        SK: `NOTIFICATION#${now}#${suffix}`,
+        type,
+        deviceInfo,
+        acknowledged: false,
+        timestamp: now,
+        ttl,
+      },
+    }),
+  );
+  logger.info('Notification created', { tenantId, type });
+}
+/**
+ * GET /v1/notifications — return unacknowledged notifications for tenant.
+ */
+export async function handleGetNotifications(
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const result = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+      FilterExpression: 'acknowledged = :false',
+      ExpressionAttributeValues: {
+        ':pk': `TENANT#${tenantId}`,
+        ':prefix': 'NOTIFICATION#',
+        ':false': false,
+      },
+      ScanIndexForward: false, // newest first
+      Limit: 50,
+    }),
+  );
+  const notifications = (result.Items ?? []).map((item) => ({
+    id: item['SK'],
+    type: item['type'],
+    deviceInfo: item['deviceInfo'],
+    timestamp: item['timestamp'],
+  }));
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ notifications }),
+  };
+}
+/**
+ * POST /v1/notifications/{id}/dismiss — mark notification as acknowledged.
+ */
+export async function handleDismissNotification(
+  tenantId: string,
+  notificationId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  try {
+    await ddb.send(
+      new UpdateCommand({
+        TableName: tableName,
+        Key: {
+          PK: `TENANT#${tenantId}`,
+          SK: notificationId,
+        },
+        UpdateExpression: 'SET acknowledged = :true',
+        ConditionExpression: 'attribute_exists(PK)',
+        ExpressionAttributeValues: {
+          ':true': true,
+        },
+      }),
+    );
+    return {
+      statusCode: 200,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ status: 'dismissed' }),
+    };
+  } catch (err: unknown) {
+    if ((err as { name?: string }).name === 'ConditionalCheckFailedException') {
+      return {
+        statusCode: 404,
+        headers: JSON_HEADERS,
+        body: JSON.stringify({ error: 'not_found', message: 'Notification not found' }),
+      };
+    }
+    throw err;
+  }
+}
+/**
+ * G3: Resolve IP address to approximate location.
+ *
+ * For Lambda, use a lightweight approach: extract country/region from
+ * CloudFront headers if available, otherwise return null.
+ * A full MaxMind integration can be added later.
+ */
+export function resolveIpLocation(headers: Record<string, string>): string | null {
+  // CloudFront sets these headers when the distribution is configured
+  const country = headers['cloudfront-viewer-country'] || headers['CloudFront-Viewer-Country'];
+  const city = headers['cloudfront-viewer-city'] || headers['CloudFront-Viewer-City'];
+  const region = headers['cloudfront-viewer-country-region-name'] || headers['CloudFront-Viewer-Country-Region-Name'];
+  if (city && country) {
+    return region ? `${city}, ${region}, ${country}` : `${city}, ${country}`;
+  }
+  if (country) {
+    return country;
+  }
+  return null;
+}

package/dist/lib/handler/routes/projects.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+interface HandlerResponse {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+}
+export interface SharedProjectMeta {
+    name: string;
+    role: string;
+    owner: string;
+    itemCount: number;
+}
+/**
+ * GET /v1/projects/available
+ *
+ * Query all shared projects this tenant has access to (via MEMBER# records).
+ * Returns metadata only: [{ name, role, owner, itemCount }]
+ *
+ * For now, returns an empty array with the correct shape.
+ * Full multi-tenant membership lookup is Phase 2+.
+ */
+export declare function handleListAvailableProjects(tenantId: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+export {};
+//# sourceMappingURL=projects.d.ts.map

package/dist/lib/handler/routes/projects.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"projects.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/projects.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EAEvB,MAAM,uBAAuB,CAAC;AAI/B,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAsB,2BAA2B,CAC/C,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAmC1B"}

package/dist/lib/handler/routes/projects.js ADDED Viewed

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleListAvailableProjects = handleListAvailableProjects;
+const rate_limit_js_1 = require("../middleware/rate-limit.js");
+const logger_js_1 = require("../logger.js");
+/**
+ * GET /v1/projects/available
+ *
+ * Query all shared projects this tenant has access to (via MEMBER# records).
+ * Returns metadata only: [{ name, role, owner, itemCount }]
+ *
+ * For now, returns an empty array with the correct shape.
+ * Full multi-tenant membership lookup is Phase 2+.
+ */
+async function handleListAvailableProjects(tenantId, ddb, tableName) {
+    const rateResult = await (0, rate_limit_js_1.checkRateLimit)(tenantId, 'GET', ddb, tableName);
+    if (!rateResult.allowed) {
+        return {
+            statusCode: 429,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+        };
+    }
+    // Phase 2+: Query MEMBER# records for this tenant's public key
+    // For now, return an empty array with the correct shape.
+    //
+    // Future implementation:
+    //   const result = await ddb.send(new QueryCommand({
+    //     TableName: tableName,
+    //     IndexName: 'member-index',
+    //     KeyConditionExpression: 'memberPK = :pk',
+    //     ExpressionAttributeValues: { ':pk': `KEY#${tenantId}` },
+    //   }));
+    //   ... map results to SharedProjectMeta ...
+    const projects = [];
+    logger_js_1.logger.info('Listed available projects', {
+        tenantId,
+        operation: 'LIST_PROJECTS',
+        count: projects.length,
+    });
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+        body: JSON.stringify({ projects }),
+    };
+}
+//# sourceMappingURL=projects.js.map

package/dist/lib/handler/routes/projects.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"projects.js","sourceRoot":"","sources":["../../../../lib/handler/routes/projects.ts"],"names":[],"mappings":";;AA6BA,kEAuCC;AAhED,+DAA+E;AAC/E,4CAAsC;AAetC;;;;;;;;GAQG;AACI,KAAK,UAAU,2BAA2B,CAC/C,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,UAAU,GAAG,MAAM,IAAA,8BAAc,EAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IACzE,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED,+DAA+D;IAC/D,yDAAyD;IACzD,EAAE;IACF,yBAAyB;IACzB,qDAAqD;IACrD,4BAA4B;IAC5B,iCAAiC;IACjC,gDAAgD;IAChD,+DAA+D;IAC/D,SAAS;IACT,6CAA6C;IAE7C,MAAM,QAAQ,GAAwB,EAAE,CAAC;IAEzC,kBAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;QACvC,QAAQ;QACR,SAAS,EAAE,eAAe;QAC1B,KAAK,EAAE,QAAQ,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;QAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC;KACnC,CAAC;AACJ,CAAC"}

package/dist/lib/handler/routes/projects.ts ADDED Viewed

@@ -0,0 +1,69 @@
+import {
+  DynamoDBDocumentClient,
+  QueryCommand,
+} from '@aws-sdk/lib-dynamodb';
+import { checkRateLimit, rateLimitHeaders } from '../middleware/rate-limit.js';
+import { logger } from '../logger.js';
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+export interface SharedProjectMeta {
+  name: string;
+  role: string;
+  owner: string;
+  itemCount: number;
+}
+/**
+ * GET /v1/projects/available
+ *
+ * Query all shared projects this tenant has access to (via MEMBER# records).
+ * Returns metadata only: [{ name, role, owner, itemCount }]
+ *
+ * For now, returns an empty array with the correct shape.
+ * Full multi-tenant membership lookup is Phase 2+.
+ */
+export async function handleListAvailableProjects(
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const rateResult = await checkRateLimit(tenantId, 'GET', ddb, tableName);
+  if (!rateResult.allowed) {
+    return {
+      statusCode: 429,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+    };
+  }
+  // Phase 2+: Query MEMBER# records for this tenant's public key
+  // For now, return an empty array with the correct shape.
+  //
+  // Future implementation:
+  //   const result = await ddb.send(new QueryCommand({
+  //     TableName: tableName,
+  //     IndexName: 'member-index',
+  //     KeyConditionExpression: 'memberPK = :pk',
+  //     ExpressionAttributeValues: { ':pk': `KEY#${tenantId}` },
+  //   }));
+  //   ... map results to SharedProjectMeta ...
+  const projects: SharedProjectMeta[] = [];
+  logger.info('Listed available projects', {
+    tenantId,
+    operation: 'LIST_PROJECTS',
+    count: projects.length,
+  });
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+    body: JSON.stringify({ projects }),
+  };
+}

package/dist/lib/handler/routes/register.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+interface HandlerResponse {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+}
+export declare function checkSignupsEnabled(paramName: string): Promise<boolean>;
+export declare function _resetSignupsCache(): void;
+/**
+ * GET /v1/register/challenge — generate a registration challenge nonce.
+ *
+ * Returns a 32-byte random nonce (base64-encoded) that must be signed by the
+ * client's SSH private key and submitted with the registration request.
+ * Challenge expires after 60 seconds and is single-use.
+ */
+export declare function handleChallenge(ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+export declare function handleRegister(body: string | null | undefined, ddb: DynamoDBDocumentClient, tableName: string, signupsParamName: string): Promise<HandlerResponse>;
+export {};
+//# sourceMappingURL=register.d.ts.map

package/dist/lib/handler/routes/register.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/register.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAAyC,MAAM,uBAAuB,CAAC;AAmBtG,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAUD,wBAAsB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAkB7E;AAGD,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAkDD;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAyB1B;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,eAAe,CAAC,CAqN1B"}